Changes to Criminal Offences under the Data Protection Act 2018

The data protection regime underwent a monumental change in recent weeks, with the enactment of GDPR and the Data Protection Act (‘DPA’) 2018. Perhaps overlooked are the changes which was made to criminal offences under the Act. This article will provide an overview of the key changes, of which criminal practitioners should be aware.

Firstly, some jargon busting. A ‘data controller’ under the Act is a person who (alone or with others) decides the purposes for which and the way personal data is processed. A ‘data subject’ is a person whose data is stored. A ‘subject access request’ is a request by an individual to an organization to discover the information which is held about them.

The offence of unlawfully obtaining, or disclosing, personal data without the consent of the data controller (formerly s.55 DPA 1998) is a common feature of many prosecutions brought by the Information Commissioner’s Office (‘ICO’). This offence is applicable in a variety of situations. A claims management company trading personal data for a fee, without the consent of a data controller, is guilty of this offence. Equally, a receptionist in a medical practice who uses the information in the practice’s database to look up family and friends out of curiosity would also be guilty of this offence.

This offence has now been amended, and can be found at s.170 DPA 2018. There is a new clause in which it is a criminal offence to retain personal data without the consent of the data controller. This would cover a situation where data was provided through lawful means, then retained beyond the time consented to by the data controller. This aspect of the offence, therefore, has a broad remit.

The offence under s.170 DPA 1998 remains punishable only by way of a fine. In the previous legislation, there was a caveat which permitted the Secretary of State to alter the penalty to a custodial sentence (s.77 Criminal Justice and Immigration Act 2008). This was never used in the lifetime of the old Act. There is no provision for such a power in the new legislation. It remains the case that there are no formal sentencing guidelines for this offence.

Punishment for an offence under s.170 DPA 2018 is now confined to a financial penalty. That being so, it is conceivable to consider that, if the offending behaviour is sophisticated and/or longstanding, and causes a significant degree of harm, a prosecuting authority may take the view that charging an offence that only allows for a financial penalty would not suitably cover the criminality. There are other offences that could potentially be charged in such cases, such as fraud or computer misuse act offences and these may now be charged more frequently. It would not be wise to reassure a client that they will avoid an imprisonable offence if they have committed a data breach offence, as their prosecution may simply fall under a different guise.

A new offence created under DPA 2018 is the re-identification of de-identified personal data (s.171 DPA 2018). If personal data has been anonymised by a data controller, and the document is later amended to reveal the data without the consent of the data controller. This may have broader implications in the investigation of crime, where documents are commonly redacted and disclosed. It is possible to use software to remove the redaction on documents. To use such software, without consent, would be a criminal offence.

It remains a criminal offence to require an individual to exercise their subject access rights to gain their personal information in relation to their employment, a contract for services or the provision of goods and services (s.184 DPA 2018). It is common practice for employers to conduct their own pre-employment checks e.g. a Disclosure Barring Service (‘DBS’) check. If a data subject were to make the request (a subject access request) they would receive more information than would be included in a DBS check. The response to a subject access request would also include ‘spent’ convictions. It is a criminal offence for an employer to insist on receiving enhanced information in this way. This offence has been amended, to encompass an employer making the request recklessly.

Other criminal offences to be aware of under DPA 2018 are as follows:

  • 119 DPA 2018- obstructing the Commissioner in inspecting personal data to discharge an international obligation.
  • 131 DPA 2018- making a disclosure prohibited by any of Parts 1 to 7 or Chapter 1 of Part 9 of the Investigatory Powers Act 2016.
  • 132 DPA 2018- prohibition placed upon the Commissioner, or the Commissioner’s staff against disclosing information obtained in the course of their role (which is not available to the public).
  • 144 DPA 2018- false statement made in response to an information notice.
  • 173 DPA 2018- alteration of personal data etc to prevent disclosure to data subject.
  • Para 15, Schedule 15 DPA 2018- intentional obstruction of a warrant, or failure without reasonable excuse to assist in the execution of a warrant.

Many offences under the new DPA are now recordable, which was not a feature of the old Act. It may be that this has a deterrent effect on individuals who routinely exchange personal data without consent.

The latest raft of legislation has put the use which can be made of personal data into even sharper focus than before. It may be that offences arising from the DPA 2018 become a more prominent feature within our courts.

Anna Chestnutt is currently on secondment with the Information Commissioner’s Office. To instruct Anna, please contact a member of the clerking team.